SAN FRANCISCO -- Cloud service providers have a way to go to convince security pros of their security, at least...
for sensitive data.
Attendees at the RSA Conference 2011 said cloud computing is good for certain business applications, but they’re leery of putting sensitive applications, such as those used in health care or education, in the cloud.
While cloud computing could help a school district save money in providing student email accounts, sensitive information, such as student records that are subject to state and local privacy laws, need to stay in-house, said the director of IT for a California public school agency who requested anonymity.
“Student records – we can’t just put those in the cloud,” he said. “How do I know where that data sits? Student data can’t go out of the state or even outside of the county. Cloud providers aren’t getting that yet.”
A product manager at a large health care services provider said some corporate applications have moved to the cloud, but hospital applications are legacy applications that don’t lend themselves easily to a cloud migration. He added that it’s hard enough maintaining regulatory compliance in-house: “You can’t just hand that to someone else and trust they’ll do it right.”
An informal poll during a panel at RSA Conference 2011 reflected the same skepticism when it comes to cloud service providers and security.
The panel featured Eran Feigenbaum, director of security at Google Apps, who argued the cloud provides unique technologies to improve on enterprise security. “A lot of cloud providers have the ability to design systems from scratch with security built in.”
But his argument apparently didn’t sway the audience. A majority of the audience, when asked by Archie Reed, chief technologist at HP, said they don’t believe a cloud service could provide better security than they can in-house.
Tanya Forsheit, a founding partner at the InfoLawGroup, said it’s not one-size-fits all with cloud service providers. “You need to start asking questions before you even think of this as a business possibility,” she said, adding that all business stakeholders need to be involved in cloud service evaluations.
“The earlier you know what your internal needs are, the earlier you can map out questions for the provider,” she said.
“It’s up to you to define and understand your risk level tolerance,” Reed said.
According to Feigenbaum, it comes down to a paradigm shift that involves “changing your mindset from a server or data center you control to a contract with an SLA and realizing that is as good or better than what you can do.”
He compared it to the old days of convincing people it was safer to keep their money in banks, but was reminded that banks still got robbed. “Cloud providers will get attacked because that’s where the data is,” he responded, adding that it’s a matter of how the service provider responds.